Basically change from inspect

TRACKLESS · ‎12-14-2016

I'm trying to get TLS working on our Exchange 2013 server and I've narrowed it down to our router obfuscating the ESMTP commands exiting our network. I've seen plenty of examples of disabling ESMTP inspection on ASA devices but not on my 871 ISR. Currently running 12.4(15).

Relevant config for SMTP:

ip port-map user-smtps port tcp 587 description TLS

class-map type inspect match-all email-service
match access-group name email-servers
match class-map email-protocols
class-map type inspect match-any email-protocols
match protocol smtp extended
match protocol user-smtps

policy-map type inspect internet-private-pmap
class type inspect email-service
inspect

zone security private
zone security internet
zone-pair security internet-private source internet destination private
service-policy type inspect internet-private-pmap

ip nat inside source static tcp 192.168.100.10 25 interface FastEthernet4 25

ip access-list extended email-servers
permit ip any host 192.168.100.10
permit ip host 192.168.100.10 any

How do I disable ESMTP inspection or at least bypass it?

Georg Pauwen · ‎12-15-2016

Hello,

to bypass inspection of ESMTP traffic, you need to define two class maps (one inbound and one outbound) and specify the 'pass' action. It would look like this:

class-map type inspect match all PASS_ESMTP_INBOUND
match protocol smtp extended
match access-group EMAIL_SERVERS_INBOUND

class-map type inspect match all PASS_ESMTP_OUTBOUND
match protocol smtp extended
match access-group EMAIL_SERVERS_OUTBOUND

ip access-list extended EMAIL_SERVERS_INBOUND
permit ip any host 192.168.100.10

ip access-list extended EMAIL_SERVERS_OUTBOUND
permit ip host 192.168.100.10 any

policy-map type inspect ESMPT_TRAFFIC
class PASS_ESMPT_INBOUND
pass
class class-default
class PASS_ESMTP_OUTBOUND
pass
class class-default

TRACKLESS · ‎12-16-2016

Basically change from inspect to pass on the policy-map. I'm positive I tried that but I'll give it a go and come back. Maybe I didn't apply it in both directions... Thanks!

TRACKLESS · ‎12-16-2016

So I updated inbound and outbound policy-maps to pass the email-service instead of inspect.

policy-map type inspect internet-private-pmap
class type inspect email-service
pass

policy-map type inspect private-internet-pmap
class type inspect email-service
pass

Result it that nothing can connect... SMTP:25 port appears as Stealth according to GRC Shields Up. Had to go back to inspect to get email flowing again.

Any other suggestions?

Georg Pauwen · ‎12-16-2016

Hello,

just to be sure, do you also have a zone pair from private to Internet configured ? Can you post the full config of your router ?

TRACKLESS · ‎12-19-2016

Sorry... I do have a zone-pair for the other direction. Full config attached...

Thanks for taking a look!

Georg Pauwen · ‎12-19-2016

Hello,

try and add the below (in bold) to your inbound and outbound policy maps"

policy-map type inspect internet-private-pmap
class type inspect email-service
pass
class type inspect email-protocols
pass

policy-map type inspect private-internet-pmap
class type inspect email-service
pass
class type inspect email-protocols
pass

TRACKLESS · ‎12-20-2016

Hmm.. same result. I tried putting email-protocols above all else in the policy map as well and it still blocks the port. Oh well... thanks for trying. This router is getting a little old anyway... might be time to replace it.

johnd2310 · ‎12-15-2016

Hi,

have you tried changing the policy-map

policy-map type inspect internet-private-pmap
class type inspect email-service
inspect

to

policy-map type inspect internet-private-pmap
class type inspect email-service
pass

Thanks

John

**Please rate posts you find helpful**

Disable ESMTP inspection on 871